1. Forum
  2. Usenet
  3. LINUX.GENTOO.USER

  • [gentoo-user] Strange behaviour of iptables

    From Matthias Hanft@21:1/5 to All on Wed Jan 1 18:40:01 2025
    Hi,

    when I call

    /usr/bin/iptables -L COUNT -n -v -x -w

    from bash, everything works well - as it did for years.

    When I call the same command from PHP:

    exec("/usr/bin/iptables -L COUNT -n -v -x -w", $iptables);

    I get (since this month) the message

    iptables v1.8.11 (legacy): Illegal option `--numeric' with this command
    Try `iptables -h' or 'iptables --help' for more information.

    I think it has to do with "xtables-legacy-multi" (which is the
    only entry of "eselect iptables list" and the softlink target
    for all iptables* commands).

    When I remove '-n' from the command line, the error message
    changes to

    iptables v1.8.11 (legacy): Illegal option `--exact' with this command
    Try `iptables -h' or 'iptables --help' for more information.

    So it seems that I can't use any parameters at all any more -
    from PHP.

    What's the trick to get this working again?

    Thanks,

    -Matt

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Matt Connell@21:1/5 to Matthias Hanft on Thu Jan 2 05:40:01 2025
    On Wed, 2025-01-01 at 18:33 +0100, Matthias Hanft wrote:

    So it seems that I can't use any parameters at all any more -
    from PHP.

    What's the trick to get this working again?

    Hmm. I can't replicate this failure. Using both `php -a` and foo.php,
    I get expected results. (I'm using the INPUT chain because that's what
    I have with real rules.)

    ---

    php > exec("/sbin/iptables -L INPUT -n -v -x -w", $iptables);
    php > var_dump($iptables);
    array(37) {
    [0]=>
    string(46) "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"
    ...
    ...

    ---

    $ cat foo.php
    <?php
    exec("/sbin/iptables -L INPUT -n -v -x -w", $iptables);
    var_dump($iptables);
    $ php foo.php
    array(37) {
    [0]=>
    string(46) "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"
    ...
    ...

    ---

    I noticed that your path to iptables is in /usr/bin/, but `which` on my
    system says /sbin/. Are you running this as root? What version of PHP
    are you using?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Matthias Hanft@21:1/5 to Matt Connell on Thu Jan 2 09:20:01 2025
    Matt Connell schrieb:

    I noticed that your path to iptables is in /usr/bin/, but `which` on my system says /sbin/. Are you running this as root? What version of PHP
    are you using?

    Yes, everything is run as root. Indeed I had /sbin/iptables in my PHP script. Getting this error, I tried "which iptables" in a root bash which showed /usr/bin/iptables. So I changed this (and even to "/usr/bin/iptables-legacy", but with no effect, presumably because of...

    n ~ # ls -l /sbin/iptables
    lrwxrwxrwx 1 root root 20 Apr 18 2024 /sbin/iptables -> xtables-legacy-multi
    n ~ # ls -l /usr/bin/iptables
    lrwxrwxrwx 1 root root 20 Apr 18 2024 /usr/bin/iptables -> xtables-legacy-multi
    n ~ # ls -l /usr/bin/iptables-legacy
    lrwxrwxrwx 1 root root 20 Dec 21 09:30 /usr/bin/iptables-legacy -> xtables-legacy-multi

    So everything seems to call "xtables-legacy-multi" anyway.

    Your "foo.php" does run here, too. I wonder what's the difference?! PHP is 8.2.24.

    The only difference is that my "exec" is in a class method in a PHP file
    which is included by "require_once". And it has worked for years... don't
    know exactly when it got broken ("cron @monthly" to count monthly IP traffic).

    -Matt

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ro Bra@21:1/5 to All on Fri Jan 3 00:10:02 2025
    What's going on here?

    Matt Connell <[email protected]> hat am 02.01.2025 20:25 CET geschrieben:


    On Thu, 2025-01-02 at 09:13 +0100, Matthias Hanft wrote:
    Your "foo.php" does run here, too.  I wonder what's the difference?!
    PHP is 8.2.24.

    Same PHP version here.

    The only difference is that my "exec" is in a class method in a PHP
    file which is included by "require_once".  And it has worked for
    years...

    Can you paste your exec method? I've never tried overriding
    (overloading?) a built-in method in this way, I'm a little surprised it
    works as well as you say. Then again I've always used shell_exec so...

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Matt Connell@21:1/5 to Ro Bra on Fri Jan 3 02:20:02 2025
    On Fri, 2025-01-03 at 00:03 +0100, Ro Bra wrote:
    What's going on here?

    Compare & Contrast troubleshooting.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Matthias Hanft@21:1/5 to Alexis on Fri Jan 3 11:40:01 2025
    Alexis wrote:


    So what happens if you instead do:

    ```
    exec("/usr/bin/xtables-legacy-multi iptables-legacy -L COUNT -n -v
    -x -w", $iptables);
    ```

    ?

    Just the same:

    iptables v1.8.11 (legacy): Illegal option `--numeric' with this command
    Try `iptables -h' or 'iptables --help' for more information.

    If I omit "-n", I get the message "Illegal option `--exact' with this command", and if I omit "-n" and "-x", it seems to work, but without "-x" I get "2M" bytes
    (instead of 2048000 bytes) which is hard to calculate with.

    Anyway, I omitted one parameter after another, and the problem seems
    to be "-Z" when I want to clear the counters - and it has nothing to do
    with PHP; I had overlooked that the monthly PHP cronjob clears the
    counters (of course), while an interactive COUNT does not.

    So after some tests (without PHP, just from bash) I get the following:

    /sbin/iptables -L COUNT -n -v -x -w

    does work, while

    /sbin/iptables -L -Z COUNT -n -v -x -w

    does *not*.

    "man iptables" says for the "-L" option:

    "It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed." (which is what I want and worked for years).

    Just "iptables -Z COUNT" does work, but obviously not in combination with
    "-n" and "-x" (which I need for "-L").

    I could run "-L -x -n" and "-Z" one after another, but that would not be
    atomic any more (which wouldn't be fatal in my case, though).

    Could it be an iptables bug since last update? Should I file a bug report?

    -Matt

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)